No root for you, or how to stop worrying and love AWS China
Making resilient CICD pipelines requires careful planning
If you open an AWS account in China, you don't get a root account; instead, one of Amazon's Chinese operating partners, Sinnet or NWCD, has root access and creates an IAM admin user for you.
She did so to illustrate the challenge of making a CICD pipeline work across the cloud environment.
Multi-cloud Cloudian controllers now run in AWS, Azure and GoogleREAD MORE
IT people like to talk about "the cloud" as if it were a singular thing. But companies running applications in the cloud still have to deal with political boundaries – thanks GDPR – and technical ones too. The cloud turns out to be a rather fragmented place.
Bailey said AWS China demands different design patterns for software pipelines. That of course assumes the marketing need to operate in China outweighs concerns from the information security group about ceding root access to a third-party.
There's no account sharing between China and the rest of AWS, she explained. Beyond the lack of root access, other security features are missing: There's no Key Management Service (KMS) and no CloudRail log file validation.
Neither is there any managed DNS service – no Route53, sorry about that.
Oh, and you need to apply for a permit to serve traffic on port 80 or 443. Then there are potential issues arising from the so-called Great Firewall.
Differences of this sort tend to be unanticipated in configuration scripts.
"Our process for deploying was extremely context dependent and environmentally specific," explained Bailey.
Inconsistencies between environments tend to add complexity to deployment tooling, she said, and complexity makes automation difficult to maintain, which in turn means time lost to debugging.
To overcome these challenges, Bailey stressed the need for strong DevOps practices to ensure that automation doesn't break down in different environments. This involves having teams work cross-functionally, making apps easy to validate and debug, automated undifferentiated work with CICD jobs as much as possible, and minimizing divergence between environments.
"If you're working in a cloud environment, your infrastructure is part of your code base to some extent," she said.
For China, Illumina went a step further. The company decided to segregate AWS China from its corporate network. Adjustments had to be made to its Jenkins pipelines to account for the slow transit through firewalled networks. And the biz ended up shipping pre-built machine images to AWS China rather than source code, even through transmitting the multi-gigabyte files could take up to 20 hours.
In short, to get to the point of set-and-forget code deployment, there's more to think about than you thought. ®
Sponsored: Becoming a Pragmatic Security Leader